Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Now, from googling it seems like this 5CD8EBDA_Abn.gbp is yet another part of a beyond-shady "security suite" called G-Buster Browser Defense (aka GbPlugin, aka Warsaw) that some Brazilian banks require so you can do online banking through them. My friend installed this crap on my computer, and I spent weeks cleaning up bits and pieces of it (services, files, registry entries). I think I got them all, with the possible exception of this.

Advertisements

ruggie_uk

Posted 29 June 2015 - 12:09 PM

My nickname is Ruggie and I will be assisting you in cleaning your computer.

Malware removal can be a long process and will at times get complicated with multiple steps to perform to ensure that your system is no longer infected.

When we start the process, the list of instructions must be followed closely, it may seem difficult at times but it is important that you stay with me until your computer is declared clean.

If you are receiving help elsewhere, please let me know so we can close this thread and help someone else.

Before going any further, I recommend that you print out (or save to a file) these guidelines and also the instructions when I post them, as part of the repair process may involve going into safe mode and therefore you will not have internet access.

The following guidelines are important but the ones highlighted in RED are of the highest importance and must not be skipped.

Please save all tools to the desktop,. Our tools are updated very regularly, sometimes several times per day so always download the latest version from the links I provide.

Please be aware, the fixes we perform are specific to this machine, at this moment in time. They must not be used on another computer or unsupervised at another time. This can render your computer unbootable.

If at all possible, Make backups of all your important files, whilst we will do our best to ensure that no files are lost or damaged, sometimes things can go wrong.

I will do everything in my power to ensure that this clean is successful, but occasionally failure hits us all. In this event, please have your original installation disks to hand and be prepared to have to format and reinstall your computer.

Refrain from using any tool that hasn't been instructed as it could alter the process that we are working through and cause further problems. Also only use the tools I instruct in the manner provided as they are very powerful and if not used properly can cause even more problems. It is best if you can avoid using the computer at all, apart from to perform the cleaning steps to ensure that any infections aren't spread.

Please stick with me until the end. malware removal is difficult and time consuming. We have to analyse hundreds of lines in log files. This takes time which we give freely so I ask that you do us the courtesy of seeing it through.

Only paste the contents of log files into your reply, DO NOT attach any log files unless requested to do so.

If you have any questions or get stuck, stop and ask....I am here to help you make this go as smoothly as possible.

If you do not reply within 3 days, your topic will be closed. It can be reopened if you ask. But if you plan on being gone for a longer period, just let me know and I will hold it open for you.

Ready? Now lets get to work

Hi, could you kindly post your entire FRST logs and we can make sure that we get it all. There is probably more scattered around.

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

Name: BlueStacks Hypervisor
Description: BlueStacks Hypervisor
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: BstHdDrv
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

ruggie_uk

Posted 30 June 2015 - 02:02 AM

ruggie_uk

Trusted Helper

Malware Removal

2,083 posts

Hi there - ok lets get started.

Firstly:

P2P WARNING!

It appears that there is at least one Peer to Peer(P2P) program on your computer:

Insert Program Here

Whilst some P2P programs themselves may be harmless, we at GeeksToGo do not recommend their use due to the extremely high likelyhood of obtaining an infection from files that have been downloaded. This may range from annoying adware to malicious trojans stealing your passwords and other personal information.

There is also the risk of inadvertently sharing information that wasn't intended due to incorrectly configured software.

It is highly likely that this is the source of the issue that brought you here today. And if not, probably what will bring you back at a later date.

Download the attached fixlist.txt1.41KB120 downloadsand save it to your desktop <<< very important - it must be in the same location as FRST.exe/FRST64.exe

Right click and run as administrator. When the tool opens click Yes to the disclaimer.

Press the Fix button.

It will produce a log called fixlog.txt on your Desktop.

Please copy and paste the contents of that log back here.

NOTICE: This script was written specifically for this user, for use on that particular machine, at this point in time. Running this on another machine may cause damage to your operating system.

Step 2

Junkware Removal Tool
Please download Junkware Removal Tool to your desktop. << Important
Ensure that any security software is temporarily disabled for the duration of the scan. Don't forget to re-enable it afterwards.

Shut down your protection software now to avoid potential conflicts.

Run the tool by right-clicking and select "Run as Administrator".

The tool will open and start scanning your system.

Please be patient as this can take a while to complete depending on your system's specifications.

On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

Post the contents of JRT.txt into your next message.

Step 3

AdwCleaner by Xplode

Download AdwCleaner from here or from here. Save the file to the desktop.

NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

Vista/7/8 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
You will see the following console:

Click the Scan button and wait for the scan to finish.

When the Scan has finished the Scan button will be grayed out and the Cleaning button will be activated.

Click the Cleaning button.

Everything checked will be deleted.

When the program has finished cleaning a report appears.

Once done it will ask to reboot, allow this

On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[S0].txt

ruggie_uk

Posted 01 July 2015 - 05:21 AM

Right click the AdwCleaner icon, click Run as administrator and accept the UAC prompt to run AdwCleaner.

Click the Scan button and wait for the scan to complete.

When the Scan has finished the Scan button will be grayed out and the Clean button will be activated.

Click the Clean button.

Everything checked will be deleted.

When the program has finished cleaning a report appears.

Once done it will ask to reboot, allow this

On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[S0].txt

Then...

Next...Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware from Here or Here (or re-run it if you already have it installed)

Install the program and select updateOnce it has updated select Settings > Detection and Protection >Tick Scan for rootkitsGo back to the Dashboard and select Scan NowIf threats are detected, click the Remove Selected button, MBAM will ask for a rebootOn completion of the scan (or after the reboot) select Save ResultsSelect text file and save to the desktop.Please post that log for my review.

Note: You will need to use Internet Explorer or Firefox (You will be prompted to install a helper program if you use firefox)for this scan.Important: Please disable your existing AV software for the duration of the scan

Tick the box next to YES, I accept the Terms of Use

Click Start

When asked, allow the ActiveX control to install

Click Start

Make sure that the option Enable detection of potentially unwanted applications is checked

Next click on Advanced Settings and select:

Make sure that the option Remove found threats is NOT checked

Scan archives

Scan for potentially unsafe applications

Enable Anti-Stealth Technology

Click Start, the virus database will update, this may take a while depending on your internet connection.

Once updated, the online scan will begin. (This scan can take several hours, so please be patient)

Once the scan is completed, click Finish

Use Notepad to open the logfile located at C:\Program Files (x86)\ESET\Eset Online Scanner\log.txt

The computer is behaving just fine, other than wuauserv eating tremendous amounts of memory when it runs. I tried a few solutions that didn't work and eventually worked around it by stopping the service whenever I get on the computer and starting it back up when I leave (it stays on overnight).

ruggie_uk

Posted 03 July 2015 - 04:34 AM

ruggie_uk

Trusted Helper

Malware Removal

2,083 posts

Ok well it's all looking good now. As you can see from the ESET scan, a couple of files are flagged, only one I would be concerned about is the Carbonodds poker as themida can be used maliciously, but that's your choice to remove or not.

I also always recommend utorrent removal due to the risks that can be present with P2P software so take that under advisement as well.

Well found with the Microsoft update - I would think that should sort the problem as it can be a known issue.

but anyway :

Good news, it looks like your system is now clean. A good workman cleans up after himself so let's now attend to that

The program will run for a few moments and then notepad will open with a log. Please paste the log in your next reply

We need to uninstall a programOpen Programs and Features by clicking the Start button, clicking Control Panel, clicking Programs, and then clicking Programs and Features.Select the following programs from the list below, one at a time and click Uninstall.

ESET Online Scanner

Delete the following Files and Folders (If Present):C:\Program Files (x86)\ESETDelete any other .bat, .log, .reg, .txt, and any other files created during this process, and left on the desktop and empty the Recycle Bin.

Keep your machine updated

Due to the ever-present tide of malware, it is important to ensure your computer is kept up-to-date to minimize the risk of future infection. An important step is to ensure that automatic updates are enabled.

To enable automatic updates:

Windows 7To turn on Automatic Updates yourself, follow these steps:

Click Start, type Windows update in the search box, and then click Windows Update in the Programs list.

In the left pane, click Change settings.

Select the option that you want.

Under Recommended updates, select the Give me recommended updates the same way I receive important updates or Include recommended updates when downloading, installing, or notifying me about updates check box, and then click OK.

It is recommended to install an anti-malware to help prevent reinfection.Below are some free ones that can help keep you clean.

Malwarebytes AntiMalware

As you have installed Malwarebytes, I recommend that you keep this program and use it to help you stay clean.

The free version will scan your computer and fix the problems it finds but will not provide real-time protection. You must scan regularly to find any threats.Consider purchasing the full version for active monitoring of threats.

JAVA AdviceWARNING:Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable JavaSee this article and this article.I would recommend that you completely uninstall Java unless you need it to run an important software or need it to play games on-line.In that instance I would recommend that you only use Firefox or Chrome to visit those sites and do the following:

For Chrome, install the ScriptSafe add-on.-->IMPORTANT<--: After installing the add-ons you will need to tell them that the site you are visiting is allowed to run Javascript. If you don't, the sites won't work properly. Or not at all. You can go to the NoScript home page here to learn how to use the add-on.

A.Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older versions of Java components and update:

Download the latest version of the Java Runtime Environment (JRE) Version from Here and save it to your desktop.

Look for "Java Platform, Standard Edition". You will see the current Java version and update number under listed under the heading. Example: The newest update is Java SE 8u25

If offered to install a Toolbar, just uncheck the box before continuing unless you want it.

[Note:] The Java Quick Starter (JQS.exe) adds a service to improve the initial start up time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > You will have to be in Classic View to see Java(It looks like a coffee cup). Double-click on Java click the Advanced Tab click Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.

Update Adobe Flash Player

NOTE: Depending on your settings, you may have to temporarily disable your antivirus software and firewall.

Click the Install now button. A download window for the install_flashplayer15x64_mssd_aaa_aih.exe file will open. Save it to the desktop.

Close the browser and all open windows.

Back on the desktop, right click the install_flashplayer15x64_mssd_aaa_aih.exe file and click Run as Administrator to install Flash Player.

Cryptolocker WarningGo here for information about CryptoLocker Ransomeware.The main thing with this infection is ~ Backup.If you're using an external hard drive, keep it unplugged from the computer when you're not backing up files or using it. This will prevent the infection from getting to your backed up files if you ever do come across it.

Recommended ProgramsUnchecky is a small service that runs in the background to help keep those "extra toolbars" and tag along search engines from automatically installing. By automatically directing you to a custom install with all the options unchecked, only what you manually choose and confirm gets installed.[url=https://www.foolishi.../cryptoprevent/

is a free program that prevents CryptoLocker / ransomware from infecting your PC by locking down the OS so the malware can not get a grip on your system.Web Of Trust is a browser add-on designed to alert the user before interacting with a potentially malicious website. It will highlight green if a site is known to be safe.

ruggie_uk

Posted 06 July 2015 - 06:12 AM

ruggie_uk

Trusted Helper

Malware Removal

2,083 posts

We need to keep the log details for continuity and for assistance with other posts. But if you would like to remove your name that is ok. But there should really be no need as there is no identifiable information in these logs.